* Proxy backend requests on '/' to the frontend
If the optional extra `proxy` is installed, then the backend can handle all
requests by proxy unrecognized routes to the frontend nextjs server.
* Update lock file
* pre-commit fu
* AppHarness: set config frontend_port and backend_port
* integration: frontend port and backend port should return the same content
with proxying enabled by default in dev mode, both frontend and backend ports
on / should return the same content.
* Retry up to 100 times when proxying to frontend
* Reduce retry attempts to 25
Fix log level passing to subprocess
* scripts/wait_for_listening_port: primarily check HTTP responses
if the port is up or not, we don't really care... the HTTP request needs to
work and not return errors
* aiohttp is an optional dep
* adapt integration.sh for --backend-only (counter integration test)
* woops
* windows WTF?
* scratching my head 🎄
* double WTF windows
* Fix remaining integration tests
* Throw warnings when Redis lock is held for more than the allowed threshold
* initial tests
* fix tests and address comments
* fix tests fr, and use pydantic validators
* darglint fix
* increase lock expiration in tests to 2500
* remove print statement
---------
Co-authored-by: Khaleel Al-Adhami <khaleel.aladhami@gmail.com>
* Reuse the sqlalchemy engine once it's created
* Implement `rx.asession` for async database support
Requires setting `async_db_url` to the same database as `db_url`, except using
an async driver; this will vary by database.
* resolve the url first, so the key into _ENGINE is correct
* Ping db connections before returning them from pool
Move connect engine kwargs to a separate function
* the param is `echo`
* sanity check that config db_url and async_db_url are the same
throw a warning if the part following the `://` differs between these two
* create_async_engine: use sqlalchemy async API
update types
* redact ASYNC_DB_URL similarly to DB_URL when overridden in config
* update rx.asession docstring
* use async_sessionmaker
* Redact sensitive env vars instead of hiding them
* fix and test bug in config env loading
* streamline env var interpretation with @adhami3310
* improve error messages, fix invalid value for TELEMETRY_ENABLED
* just a small hint
* ruffing
* fix typo from review
* refactor - ruff broke the imports..
* cleanup imports
* more
* add internal and enum env var support
* ruff cleanup
* more global imports
* revert telemetry, it lives in rx.Config
* minor fixes/cleanup
* i missed some refs
* fix darglint
* reload config is internal
* fix EnvVar name
* add test for EnvVar + minor typing improvement
* bool tests
* was this broken?
* retain old behavior
* migrate APP_HARNESS_HEADLESS to new env var system
* migrate more APP_HARNESS env vars to new config system
* migrate SCREENSHOT_DIR to new env var system
* refactor EnvVar.get to be a method
* readd deleted functions and deprecate them
* improve EnvVar api, cleanup RELOAD_CONFIG question
* move is_prod_mode back to where it was
* add existing path subclass for env checks
* use the power of dataclasses
* use metaclass
* fake the class name
* use annotated
* use flag instead of dict
* dang it darglint
* cleanups
* fix and test bug in config env loading
* streamline env var interpretation with @adhami3310
* improve error messages, fix invalid value for TELEMETRY_ENABLED
* just a small hint
* ruffing
* fix typo from review
* move all environment variables to the same place
* reorder things around
* move more variables to environment
* remove cyclical imports
* forgot default value for field
* for some reason type hints aren't being interpreted
* put the field type *before* not after
* make it get
* move a bit more
* add more fields
* move reflex dir
* add return
* put things somewhere else
* add custom error
* use pathlib as much as possible
* fixstuff
* break locally to unbreak in CI 🤷
* add type on env
* debug attempt 1
* debugged
* oops, there is the actual fix
* fix 3.9 compat
* upgrade to latest pip for in_docker_test_script.sh
* Bump gunicorn to 22.0.0 (security)
Changelog: https://docs.gunicorn.org/en/stable/news.html#id1
use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12
** Breaking changes **
minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)
** SECURITY **
fix CVE-2024-1135
* Remove TYPE_CHECKING guard for pydantic v1 imports
Retain TYPE_CHECKING guard in v1 fallback to force pyright into pydantic.v1 namespace
* Run unit tests with pydantic v1 now that v2 is installed via poetry
* add more tests
* add tests to raise coverage
* more tests, bump coverage to 73
* fix up icon_button test
* fix darglint for app.py
* fix utcnow usage warning
* set threshold to 72
* fix timestamp
* fix unit tests for linux-redis
* removed commented code and put a TODO
* Remove upper bounds of most dependencies.
Also adds a import try except block for pydantic.v1 and relocks.
Keep black and ruff to not mess to much with current formatting
Make pyright see the right import as long as constraint still lock pydantiv v1
Down pin pytest-asyncio again due to known issue
Fix upload handler with latest versions of fastapi
Change comment
* Add changed lockfile
* Set max versions for deps
* Revert app.pyi
---------
Co-authored-by: Malte Klemm <malte.klemm@blueyonder.com>
Co-authored-by: Nikhil Rao <nikhil@reflex.dev>
* rebase
* pass include_children kwarg in radix FormRoot
* respect include_children
* ruff fixes
* readd statemanager init, run pyi gen
* minor performance imporovements, fix for state changes
* fix pyi and pyright
* pass include_children for chakra
* remove old state detection
* add test for unused states in stateless app
---------
Co-authored-by: Masen Furer <m_github@0x26.net>
